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Abstract 

We show that several problems that figure prominently in quantum computing, including 
Hidden Coset, Hidden Shift, and Orbit Coset, are equivalent or reducible to Hidden 
Subgroup for a large variety of groups. We also show that, over permutation groups, the 
decision version and search version of Hidden Subgroup are polynomial-time equivalent. For 
Hidden Subgroup over dihedral groups, such an equivalence can be obtained if the order of 
the group is smooth. Finally, we give nonadaptive program checkers for Hidden Subgroup 
and its decision version. 

Topic Classification: Computational Complexity, Quantum Computing. 

1 Introduction 

The Hidden Subgroup problem generalizes many interesting problems that have efficient quan- 
tum algorithms but whose known classical algorithms are inefficient. While we can solve Hidden 
Subgroup over abelian groups satisfactorily on quantum computers, the nonabelian case is more 
challenging. Until now only limited success has been reported. For a recent survey on the progress 
of solving nonabelian Hidden Subgroup, see Lomont [Lom04] . People are particularly interested 
in solving Hidden Subgroup over two families of nonabelian groups — permutation groups and 
dihedral groups — since solving them will immediately give solutions to the Graph Isomorphism 
problem [JozOO] and the Shortest Lattice Vector problem |Reg04| , repectively. 



To explore more fully the power of quantum computers, researchers have also introduced and 
studied several related problems. Van Dam, Hallgren, and Ip [vDHI03] introduced the Hidden 
Shift problem and gave efficient quantum algorithms for some instances. Their results provide 
evidence that quantum computers can help to recover shift structure as well as subgroup struc- 
ture. They also introduced the Hidden Coset problem to generalize Hidden Shift and Hidden 
Subgroup. Recently, Childs and van Dam |CvD05| introduced the Generalized Hidden Shift 
problem, which extends Hidden Shift from a different angle. They gave efficient quantum algo- 
rithms for Generalized Hidden Shift over cyclic groups where the number of functions is large 
(see Definition 12.21 and the subsequent discussion). In an attempt to attack Hidden Subgroup 
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using a divide-and-conquer approach over subgroup chains, Friedl et al. [FI M + 03 introduced the 



Orbit Coset problem, which they claimed to be an even more general problem including Hidden 
SUBGROUP and Hidden ShifTlI as special instances. They called Orbit Coset a quantum gener- 
alization of Hidden Subgroup and Hidden Shift, since the definition of Orbit Coset involves 
quantum functions. 

In Section (3J we show that all these related problems are equivalent or reducible to Hidden 
Subgroup. In particular, 

1. Hidden Coset is polynomial-time equivalent to Hidden Subgroup, 

2. Orbit Coset is equivalent to Hidden Subgroup if we allow functions in the latter to be 
quantum functions, and 

3. Hidden Shift and Generalized Hidden Shift reduce to instances of Hidden Subgroup 
over a family of wreath product groups. 

Some special cases of these results are already known. It is well-known that Hidden Shift over 
the cyclic group Z n is equivalent to Hidden Subgroup over the dihedral group D n = 7L n xi Z2 (see 
[CvD05| for example), and this fact easily generalizes to any abelian group. Our results apply to 
general groups, however, including nonabelian groups where a nontrivial semidirect product with 
Z2 may not exist. Regarding the relationship between Hidden Shift and Generalized Hidden 
Shift, Childs and van Dam observed that it is trivial to reduce any instance of Generalized 
Hidden Shift to Hidden Shift over the same group (and thence to dihedral Hidden Subgroup 
in the case of abelian groups) in polynomial time [CvD05j . They left open the question, however, of 
whether any versions of Generalized Hidden Shift with more than two functions are equivalent 
to any versions of Hidden Subgroup. We make progress towards answering this question in 
the affirmative. We give a direct "embedding" reduction from Generalized Hidden Shift to 
Hidden Subgroup such that the original input instances of Generalized Hidden Shift can be 
recovered efficiently from their images under the reduction. Our reduction runs in polynomial time 
provided the number of functions of the input instance is relatively small. 

There are a few results in the literature about the complexity of Hidden Subgroup. It is 
well-known that Hidden Subgroup over abelian groups is solvable in quantum polynomial time 
with bounded error [Kit95} IMos99| . Ettinger, Hoyer, and Knill [EHK04] showed that Hidden 
Subgroup (over arbitrary finite groups) has polynomial quantum query complexity. Arvind and 
Kurur [AK02] showed that Hidden Subgroup over permutation groups is in the class FP SPP and 
is thus low for the counting complexity class PP. In Section 0] we study the relationship between 
the decision and search versions of Hidden Subgroup, denoted Hidden Subgroup/} and Hidden 
Subgroups, respectively. It is well known that NP-complete sets such as SAT are self-reducible, 
which implies that the decision and search versions of NP-complete problems are polynomial- 
time equivalent. We show this is also the case for Hidden Subgroup and Hidden Shift over 
permutation groups. Kempe and Shalev have recently given evidence that Hidden Subgroup^ 
over permutation groups is a difficult problem [KS05]. They showed that under general conditions, 
various forms of the Quantum Fourier Sampling method are of no help (over classical exhaustive 
search) in solving Hidden Subgroup/) over permutation groups. Our results yield evidence of a 
different sort that this problem is difficult — namely, it is just as hard as the search version. 



1 They actually called it the Hidden Translation problem. 
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For Hidden Subgroup over dihedral groups, our results are more modest. We show the search- 
decision equivalence for dihedral groups of smooth order, i.e., where the largest prime dividing the 
order of the group is small. 

Combining our results in Sections [3] and [H we obtain nonadaptive program checkers for Hidden 
Subgroup and Hidden Subgroup^ over permutation groups. We give the details in Section 

2 Preliminaries 
2.1 Group Theory 

Background on general group theory and quantum computation can be found in textbooks such as 
[Sco87j and |NC00j . 

The wreath product of groups plays an important role in several proofs in this paper. We only 
need to define a special case of the wreath product. 

Definition 2.1 For any finite group G, the wreath product G 2 Z n of G and 7L n = {0, 1, . . . , n — 1} 
is the set {(51,52, • • • , g n , t) | 51, 52, . . . , g n £ G, r G Z n } equipped with the group operation o such 
that 

(51,92, • • • ,5n,r) o (51,52,.. .,g' n ,T') = (5r'(l)5l,5r'(2)52) • • • , 5r'(n)5^, TT J ). 

We abuse notation here by identifying r and r 1 with cyclic permutations over the set {1, ... ,n} 
sending x to x + r mod n and to x + r' mod n, respectively, and identifying with n. 

If Z is a set, then Sz is the symmetric group of permutations of Z. We define the composition 
order to be from left to right, i.e., for 51,52 G Sz, 5152 is the permutation obtained by applying g\ 
first and then g<i- For n > 1, we abbreviate S'{i > 2,...,n} by S n . Subgroups of S n are the permutation 
groups of degree n. For a permutation group G < S n and an element i G {1, . . . , n}, let G® denote 
the pointwise stabilizer subgroup of G that fixes the set {1,... , i} pointwise. The chain of the 
stabilizer subgroups of G is {id} = G^ < G^" 1 ) < • • • < G^ < G^ = G. Let d be a complete 
set of right coset representatives of G^' in G^ _1 \ 1 < i < n. Then the cardinality of G, is at most 
n — i and U" =1 Gj forms a strong generator set for G |Sim 70]. Any element 5 € G can be written 
uniquely as 5 = g n gn~i • ■ - 5i with 5, G Gj. Furst, Hopcroft, and Luks [FHL8Q] showed that given 
any generator set for G, a strong generator set can be computed in polynomial time. For X C Z 
and G < Sz, we use Gx to denote the subgroup of G that stablizes X setwise. It is evident that 
Gx is the direct sum of Sx and Sz\x ■ We are particularly interested in the case when G is S n . In 
this case, a generating set for Gx can be easily computed. 

Let G be a finite group. Let T be a set of mutually orthogonal quantum states. Let a:GxT-> 
r be a group action of G on T, i.e., for every x G G the function q x : T — > T mapping |</>) to \a(x, \<p))) 
is a permutation over T, and the map h from G to the symmetric group over T defined by h(x) = a x 
is a homomorphism. We use the notation \x • <f>) instead of \a(x , \<f)))) , when a is clear from the 
context. We let G(\<f>)) denote the orbit of \4>) with respect to a, i.e., the set {\x ■ <f>) : x E G}, 
and we let G^ denote the stabilizer subgroup of \<f>) in G, i.e., {x G G : \x ■ 4>) = l^}}- Given 
any positive integer t, let a* denote the group action of G on r = {{(j))® 1 ■ \4>) G T} defined by 
a* (a;, = |s • 0}®*. We need a* because the input superpositions cannot be cloned in general. 

Definition 2.2 Let G be a finite group. 
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1. Given a generating set for G and a function / that maps G to some finite set S such that the 
values of / are constant on a subgroup H of G and distinct on each left (right) coset of H, 
the Hidden Subgroup problem is to find a generating set for H. The decision version of 
Hidden Subgroup, denoted as Hidden Subgroup^, is to determine whether H is trivial. 
The search version, denoted as Hidden Subgroups', is to find a nontrivial element of H if 
there is one. 

2. Given a generating set for G and n injective functions /i, /2, • • • , /n defined on G, with 
the promise that there is a (necessarily unique) "shift" u £ G such that for all g € G, 
fi{g) = f 2(119), f 2(9) = h{ug), U-i(g) = fn(ug), the Generalized Hidden Shift 
problem |CvD05| is to find u. We sometimes denote this problem as (n, G)-GHSh for short. 
If n = 2, this problem is called the Hidden Shift problem. The functions /1, ■■-,/«, are 
given uniformly via a single function F such that fi(g) = F(i,g) for all g € G and 1 < £ < n. 

3. Given a generating set for G and two functions /1 and /2 defined on G such that for some 
shift u £ G, fi(g) = h(gu) for all g in G, the Hidden Coset problem [vDHI03j is to find 
the set of all such shifts u. This set is a coset Hu of a subgroup H of G, and we can represent 
it by giving generators for H together with one of the u. 

4. Given a generating set for G and two quantum states |0o)>|0i) € I\ the Orbit Coset 
problem |FiM + 03] is to either reject the input if G(\<f)o)) H = 0, or else output both a 
u € G such that |u • 0i) = |0o) and also a generating set for Gujj. 

Van Dam, Hallgren, and Ip give efficient quantum algorithms for various instances of Hidden 
Coset using Fourier sampling [vDHI03j. Childs and van Dam give a polynomial-time quantum 
algorithm for (M,Zjv)-GHSh when M > N e for any fixed e > [CvD05] . Friedl, et al. [FIM+03] 
give polynomial-time quantum algorithms for (among others) (2,Zp)-GHSH where p is a fixed 
prime, and more generally for (2, G)-GHSh if G is "smoothly solvable," a class of groups that 
includes solvable groups of bounded exponent and bounded derived series length. The latter results 
come via algorithms for Orbit Coset. 

2.2 Program checkers 

Let 7r be a computational decision or search problem. Let x be an input to it and ir(x) be the 
output of 7T. Let P be a deterministic program (supposedly) for tt that halts on all inputs. We 
are interested in whether P has any bug, i.e., whether there is some x such that P(x) ^ tt(x). A 
efficient program checker C for P is a probabilistic expected-polynomial-time oracle Turing machine 
that uses P as an oracle and takes x and a positive integer k (presented in unary) as inputs. The 
running time of C does not include the time it takes for the oracle P to do its computations. C will 
output CORRECT with probability > 1 — \/2 k if P is correct on all inputs (no bugs), and output 
BUGGY with probability > 1 - l/2 fc if P(x) ^ ir(x). This probability is over the sample space 
of all finite sequences of coin flips C could have tossed. However, if P has bugs but P(x) = vr(x), 
we allow C to behave arbitrarily. If C only queries the oracle nonadaptively, then we say C is a 
nonadaptive checker. See Blum and Kannan [B K95] for more details. 
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3 Several Reductions 



The Hidden Coset problem is to find the set of all shifts of the two functions fx and /2 defined 
on the group G. If Hu is the coset of all shifts, then fx is constant on H (see |vDH I03 Lemma 
6.1). If we let fx and f2 be the same function chosen appropriately, we get Hidden Subgroup as 
a special case. On the other hand, if fx and f2 are injective functions, this is Hidden Shift. 

Theorem 3.1 Hidden Coset is polynomial-time equivalent to Hidden Subgroup. 

Proof. Let G and fx, f2 be the input of Hidden Coset. Let the set of shifts be Hu, where H is 
a subgroup of G and u is a coset representative. Define a function / with domain GIZ2 as follows: 
for any (gx,g2,r) GGiZ 2) 



f{gi,92,T) 



U /2G72)) ifr = 0, 
{f 2(92), f 1(91)) ifr = l. 



The values of / are constant on the set K = (H x u~ l Hu x {0}) U (u~ l H x Hu x {1}), which 
is a subgroup of G ! Z2. Furthermore, the values of / are distinct on all left cosets of K. Given a 
generating set of K, there is at least one generator of the form (kx, &2> !)• Pick &2 to be the coset 
representative u of H. Form a generating set S of iJ as follows: 5 is initially empty. For each 
generator of K, if it is of the form (kx,k2,0), then add kx and uk2U~ l to S 1 ; if it is of the form 
(kx, Jt2, 1), then add ukx and k2U~ x to S 1 . □ 



Corollary 3.2 Hidden Coset has polynomial quantum query complexity. 



It was mentioned in Friedl et al. FIM + 03] that Hidden Coset in general is of exponential 
(classical) query complexity. 

Using a similar approach, we show Generalized Hidden Shift essentially addresses Hidden 
Subgroup over a different family of groups. We directly embed an instance of (n, G)-GHSh into 
an instance of Hidden Subgroup over the group G I Z n . When n = 2, we get a polynomial-time 
reduction from Hidden Shift over G to Hidden Subgroup over G I Z 2 (Corollary 13. 4p . This 
reduction was claimed independently (without proof) by Childs and Wocjan [CW05]. 

Proposition 3.3 For n > 2 and G a group, (n, G)-GHSh reduces to Hidden Subgroup over 
Gl Z n in time polynomial in n + s, where s is the size of the representation of an element of G. 
Further, each instance of (n,G)-GHSH can be recovered in polynomial time from its image under 
the reduction. 

Proof. The input for Generalized Hidden Shift is a group G and n injective functions 
h, h, ■ ■ ■ , f n defined on G such that for all g G G, fx{g) = f2(ug), . . . , f n -\{g) = fn(ug). Con- 
sider the group G I Z n . Define a function / such that for any element in (gx, . . . ,g n , r) G G I Z n , 
f((gx, ■ ■ ■ , 9n-> T )) = (/T(l)(Sl))---)/r(n)(Sn))- The function values of / will be constant and distinct 
for right cosets of the n-element cyclic subgroup generated by (u, u, . . . , u, -u 1-n , 1). 

Given the / defined in the last paragraph, it is trivial to recover the original functions fx, ■ ■ ■ , f n 
by noting that fi(g) is the i'th component of f((g, ■ ■ ■ ,g,0)). □ 
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Corollary 3.4 Hidden Shift reduces to Hidden Subgroup in polynomial time (for arbitrary 
groups). 



Proof. This is the n = 2 case of Proposition 13,31 □ 

Van Dam, Hallgren, and Ip [vDHI03] introduced the Shifted Legendre Symbol problem as a 
natural instance of Hidden Shift. They claimed that assuming a conjecture this problem can 
also be reduced to an instance of Hidden Subgroup over dihedral groups. By Corollary 13.41 this 
problem can be reduced to Hidden Subgroup over wreath product groups without any conjecture. 

The case where n > 2 in Proposition 13.31 may be more interesting from a structural point of 
view then a complexity theoretic one. We already know [CvD05] that (n, G)-GHSh for n > 2 
trivially reduces to (2, G)-GHSh, simply by ignoring the information provided by the functions 
fs,..., f n . One then gets a polynomial-time reduction from (n, G)-GHSh to Hidden Subgroup 
over GlZ 2 . Therefore, the reduction in Proposition [3T3] of (n, G)-GHSh to Hidden Subgroup over 
G I Z n only tells us something complexitywise if the instances of Hidden Subgroup over G 1 1, n 
produced by the reduction turn out to be easier than those of Hidden Subgroup over G I Z2. 
This is conceivable, albeit unlikely. Nonetheless, the fact that (n, G)-GHSh embeds into Hidden 
Subgroup over G I Z n in a natural way is interesting in itself, and may suggest other reductions 
in a similar vein. 

We also note that, unfortunately, it does not seem as though Proposition 13.31 translates the 
results of |CvD05| into fast quantum algorithms for any new family of instances of Hidden Sub- 
group over wreath product groups of the form Zjv I Zm, because their algorithm is efficient only 
if M > N e for fixed e > 0, and our reduction is efficient only if M is polylogarithmic in N. 

Next we show that Orbit Coset is not a more general problem than Hidden Subgroup 
either, if we allow the function in Hidden Subgroup to be a quantum function. We need this 
generalization since the definition of Orbit Coset involves quantum functions, i.e., the ranges 
of the functions are sets of orthogonal quantum states. In Hidden Subgroup, the function is 
implicitly considered by most researchers to be a classical function, mapping group elements to a 
classical set. For the purposes of quantum computation, however, this generalization to quantum 
functions is natural and does not affect any existing quantum algorithms for Hidden Subgroup. 

Proposition 3.5 Orbit Coset is quantum polynomial-time equivalent to Hidden Subgroup. 

Proof. Let G and two orthogonal quantum states \(j>o), \4>i) G T be the inputs of Orbit Coset. 
Define the function / : G I Z2 —* T <8> T as follows: 



/ (5i,52, t) 



1 51 • 00 ) ® 1 52 • <t>i) if r = 0, 

1 52 • 4>i) ® 1 51 • 4>o) if t = 1. 



The values of the function / are identical and orthogonal on each left coset of the following subgroup 
H of G I Z2: If there is no u G G such that \u ■ <f>i) = \4>o), then H = G\^ x Gu^ x {0}. If there is 
such a u, then H = (G^ ) x x {0}) U (G^iT 1 x uG^ x {1}). For i,j G {0, 1}, let & e G 

be the i'th coset representative of G\^ \ (i.e., \gi ■ 4>o) = \<t>i}), and let gj G G be the j'th coset 
representative of (i.e., \gj ■ (pi) = \<f>j))- Then elements of the left coset of H represented by 

(gi,gj,0) will all map to the same value \4>i) <g> via /. □ 
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4 Decision versus Search 



For any NP-complete problem, its decision version and search version are polynomial-time equiv- 
alent. Another problem having this property is Graph Isomorphism |Mat79j . 

4.1 Hidden Subgroup over permutation groups 

We adapt techniques in Arvind and Toran [ATOlj to show that over permutation groups, Hidden 
Subgroup also has this property. 

Lemma 4.1 Given (generating sets for) a group G < S n , a function f : G — > S that hides a 
subgroup H < G, and a sequence of subgroups G\, . . . < S n , an instance of Hidden Subgroup 
can be constructed to hide the group D = {(g,g, ■ ■ ■ ,g) \ g 6 HnGiH- ■ -riG^} inside GxG\X- ■ -xG^. 

Proof. Define a function /' over the direct product group G X G± X • • • X Gk so that for any element 
(g,9i, ■ ■ -,gk), f'(g,gi, ■■■,gk) = {f(d),99i 1 ,- ■ -,99k 1 )- The values of /' are constant and distinct 
over left cosets of D. □ 

In the following, we will use the tuple (G, f) to represent a standard Hidden Subgroup input 
instance, and (G,f,G\, . . . ,Gk) to represent a Hidden Subgroup input instance constructed as 
in Lemma 14. II 

We define a natural isomorphism that identifies S n I Z2 with a subgroup of Sr, where T = 
{(hj) | £ €E {1, . . . , n}, j S {1,2}}. This isomorphism can be viewed as a group action, where the 
group element (gi,g2, T ) maps (i,j) to (gj(i),r(j)). Note that this isomorphism can be efficiently 
computed in both directions. 

Theorem 4.2 Over permutation groups, Hidden Subgroup^ is truth-table reducible to Hidden 
Subgroup^) in polynomial time. 

Proof. Suppose / hides a nontrivial subgroup H of G, first we compute a strong generating set 
for G, corresponding to the chain {id} = G^ < G^- 1 ) < ■ • • < G^ < G^ = G. Define f over 
GlZ 2 such that /' maps (gi,g2,r) to (f(gi), /fe)) if t is 0, and (/(# 2 ), /(ffl)) otherwise. It is easy 
to check that for the group G^ l > I Z2, /'[g(»)jz 2 hides the subgroup H^> I Z2. 
Query the Hidden SUBGROUP/) oracle with inputs 

G^ l Z 2 , /'| G (i);z 2 , (Sr){(i,i),(j,2)}, (5'r){(j,2),(j',i)} 5 (Sv){(k,i),(i,2)} 
for all 1 < i < n, all j,j' E {i + 1, . . . , n}, and all k,£ G {£,... , re}. 

Claim 4.3 Xei £ 6e suc/i £/iaf JEfW = {id} and H^ 1 ^ 7^ {ici}. For a// £ < j, j' < n and all 
i < k,l < n, there is a (necessarily unique) permutation h E H^ -1 ^ such that h(i) = j, h(j') = i 
and h{k) = t if and only if the query 



K G ^' X) I z 2, /'lGCi-i)iZ 2 > (<Sr){(i,i),(j,2)}7 (5r){(i, 2 ),(j',i)}, (Sr){(k,i),{t,2)} 
to the Hidden Subgroup^) oracle answers "nontrivial." 
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Proof of Claim. For any j > i, there is at most one permutation in F^- 1 ) that maps i to j. To 
see this, suppose there are two distinct h, h! G H^~^ both of which map i to j. Then h'h~ l G 
is a nontrivial permutation, contradicting the assumption = {id}. Let /i G H^ 1-1 ^ be a 

permutation such that = j, h(j') = i, and = I. Then (h, h , 1) is a nontrivial element in 
the group fl (<S'r){(i,i),(j,2)} H (<5r){(j,2),(,j',i)} ^ {Sr){(k,i),(t,2)}i an d thus the oracle answers 

"nontrivial." 

Conversely, if the oracle answers "nontrivial," then the nontrivial element must be of the form 
(h, h' , 1) where h, h! £ H^ -1 ^, since the other form (h, h' , 0) will imply that h and h! both fix i and 
thus are in = {id}. Therefore, h will be a nontrivial element of H^ 1 ^ with = j, h(j') = i, 
and h(k) = t. This proves the Claim. 

Find the largest i such that the query answers "nontrivial" for some j,j' > i and some k,£ > i. 
Clearly this is the smallest i such that = {id}. A nontrivial permutation in iJ"^ -1 ) can be 
constructed by looking at the query results that involve G^ -1 ) I %i- 1=1 



Corollary 4.4 Over 'permutation groups, Hidden Subgroup^ and Hidden Subgroups are 
polynomial-time equivalent. 

Next we show that the search version of Hidden Shift, as a special case of Hidden Subgroup, 
also reduces to the corresponding decision problem. 

Definition 4.5 Given a generating set for a group G and two injective functions /i,/2 defined 
on G, the problem Hidden Shift^ is to determine whether there is a shift u G G such that 
fi{g) = fzigu) for all g eG. 

Theorem 4.6 Over permutation groups, Hidden Shifts and Hidden Shifts are polynomial- 
time equivalent. 

Proof. We show that if there is a translation u for the two injective functions defined on G, we can 
find u with the help of an oracle that solves Hidden Shift^. First compute the strong generator 
set U" =1 Cj of G using the procedure in [FHL80] . Note that Uf =k Ci generates G^ -1 ) for 1 < k < n. 
We will proceed in steps along the stabilizer subgroup chain G = G^ > G^ > • • > G^ = {id}. 

Claim 4.7 With the help of the Hidden Shift^ oracle, finding the translation u\ for input 
(G^^/1,/2) reduces to finding another translation for input (G^ l+1 \ /{, fy). In particular, 
we have m = Uj + i<7j. 

Proof of Claim. Ask the oracle whether there is a translation for input (G*- i+1 \ , /2lc( i + 1 ))- 

If the answer is yes, then we know U{ G G^ +1 ^ and therefore set o~i = id and Ui = Ui+iOj. 

If the answer is no, then we know that u is in some right coset of G^ +1 -* in G". For every 
r G Gj+i, define a function f T such that f T (x) = ^(xr) for all x G G^ l+1 \ Ask the oracle whether 
there is a translation for input (G*- i+1 \ /iIg^+i), /r)- The oracle will answer yes if and only if u and 
r are in the same right coset of G^ +1 ^ in G^\ since 

u and r are in the same right coset of G^ +1 ^ in G^ 
u = u't for some t' G G^ +1 ^ 

= h{xu) = faixu'r) = f T (xu') for all x G GW 
u' is the translation for (G^ l+1 \ / r ). 
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Then we set G{ = t. 



We apply the above procedure n — 1 times until we reach the trivial subgroup The 
translation u will be equal to o n a n -\ ■ ■ ■ o\. Since the size of each Cj is at most n — i, the total 
reduction is in classical polynomial time. □ 



4.2 Hidden Subgroup over dihedral groups 

For Hidden Subgroup over dihedral groups D n , we can efficiently reduce search to decision when 
n has small prime factors. For a fixed integer B, we say an integer n is 5-smooth if all the prime 
factors of n are less than or equal to B. For such an n, the prime factorization can be obtained in 
time polynomial in B + logn. Without loss of generality, we assume that the hidden subgroup is 
an order- two subgroup of D n [EHOO] . 

Theorem 4.8 Let n be a B-smooth number, Hidden Subgroup over the dihedral group D n re- 
duces to Hidden SUBGROUP/) over dihedral groups in time polynomial in B + logn. 

Proof. Without loss of generality, we assume the generator set for D n is {r, a}, where the order 
of r and a are n and 2, respectively. Let p^p^ 2 • ■ 'PV" be the prime factorization of n. Since n is 
5-smooth, pi < B for all 1 < i < k. Let the hidden subgroup H be {id, r a a} for some a < n. 

First we find a mod p^ 1 as follows. Query the Hidden SUBGROUP/) oracle with input groups 
(we will always use the original input function /) (r Pl , a), (r Pl , ra), . . . , (r Pl , r Pl a). It is not 
hard to see that the Hidden SUBGROUP^) oracle will answer "nontrivial" only for the input group 
(r pi ,r mi a) where mi = a modpi. The next set of input groups to the Hidden Subgroup^ 
oracle are (r p i , r mi a) , (r p i , r Pl+rril a), . . . , (r Pl , r^ Pl ~ 1 ' Pl+mi a). From the oracle answers we obtain 
ni2 = a mod p\. Repeat the above procedure until we find a mod p^ 1 . 

Similarly, we can find a mod p^ 2 , . . . ,a mod p^ k . A simple usage of the Chinese Remainder 
Theorem will then recover a. The total number of queries is e\p\ + e2P2 + • • • + &kPk, which is 
polynomial in logn + B. □ 



5 Nonadaptive Checkers 

An important concept closely related to self-reducibility is that of a program checker, which was 
first introduced by Blum and Kannan [BK95j. They gave program checkers for some group- 
theoretic problems and selected problems in P. They also characterized the class of problems hav- 
ing polynomial-time checkers. Arvind and Toran [AT01] presented a nonadaptive NC checker for 
Group Intersection over permutation groups. In this section we show that Hidden Subgroup^ 
and Hidden Subgroup over permutation groups have nonadaptive checkers. 

For the sake of clarity, we give the checker for Hidden Subgroup^ first. Let P be a program 
that solves Hidden Subgroup^ over permutation groups. The input for P is a permutation group 
G given by its generating set and a function / that is defined over G and hides a subgroup H of G. 
If P is a correct program, then P(G, f) outputs TRIVIAL if H is the trivial subgroup of G, and 
NONTRIVIAL otherwise. The checker C p {G,f,O k ) checks the program P on the input G and / 
as follows: 
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Begin 

Compute P(GJ). 

if P(G, f) = NONTRIVIAL, then 

Use Theorem 14.21 and P (as if it were bug-free) to search for a nontrivial element h of H. 

if f(h) = f(id), then 
return CORRECT 

else 

return BUGGY 
if P(G, /) = TRIVIAL, then 
Do k times (in parallel): 

generate a random permutation u G G. 

define /' over G such that f(g) = f'{gu) for all g E G, use (G, /, /') to be an input instance of 
Hidden Shift 

use Theorem 13. II to convert (G, /, /') to an input instance (G 1 Z 2 , /") of Hidden Subgroup 
use Theorem 14.21 and P to search for a nontrivial element h of the subgroup of G I Z 2 that /" 

hides. 

if h ^ (it~\u, 1), then return BUGGY 
End-do 

return CORRECT 
End 

Theorem 5.1 If P is a correct program for Hidden Subgroup^, then C P (G, /, k ) always out- 
puts CORRECT. IfP(GJ) is incorrect, then Pr[C p {G, f,0 k ) outputs CORRECT] < 2" fc . More- 
over, C P (G, f, k ) runs in polynomial time and queries P nonadaptively. 

Proof. If P is a correct program and P(G, f) outputs NONTRIVIAL, then C P ({G, f, k ) will find 
a nontrivial element of H and outputs CORRECT. If P is a correct program and P(G, f) outputs 
TRIVIAL, then the function /' constructed by C P (G, /, fc ) will hide the two-element subgroup 
{(id,id,0),{u,u-\l)}. Therefore, C p (G,f,O k ) will always recover the random permutation u 
correctly, and output CORRECT. 

On the other hand, if P(G, f) outputs NONTRIVIAL while H is actually trivial, then C P (G, f, fc ) 
will fail to find a nontrivial element of H and thus output BUGGY. If P(G, f) outputs TRIVIAL 
while H is actually nontrivial, then the function /" constructed by C P (G, f, k ) will hide the sub- 
group (H x u~ 1 Hu x {0}) U (u~ 1 H x Hu times {1})- P correctly distinguishes u and other 
elements in the coset Hu only by chance. Since the order of H is at least 2, the probability that 
C p (G,f,0 k ) outputs CORRECT is at most 2~ k . 

Clearly, C P (G, f,0 k ) runs in polynomial time. The nonadaptiveness follows from Theorem 14.21 

□ 

Similarly, we can construct a nonadaptive checker C P (G, /, k ) for a program P(G,f) that 
solves Hidden Subgroup over permutation groups. The checker makes k nonadaptive queries. 

Begin 

Run P(G, /), which outputs a generating sets S. 
Verify that elements of S are indeed in H . 
Do k times (in parallel): 

generate a random element «eG. 

define /' over G such that f(g) = f'(gu) for all g s G, use (G, /, /') to be an input instance of 
Hidden Coset 
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use Theorem 13. II to convert (G, /, /') to an input instance (G I Z 2 , /") of Hidden Subgroup 
P(G I Z2, /") will output a set S' of generators and a coset representative v! 
if 5 and S' don't generate the same group or u and v! are not in the same coset of S, then 
return BUGGY 
End-do 

return CORRECT 
End 

The proof of correctness for the above checker is very similar to the proof of Theorem 15.11 

6 Further Research 

Each of the problems we have looked at in this paper can vary widely in complexity, depending 
on the type underlying group. So it is, for instance, with Hidden Subgroup, which yields to 
quantum computation in the abelian case but remains apparently hard in all but a few nonabelian 
cases. The reductions of these problems to Hidden Subgroup given in this paper all involve 
taking wreath products, which generally increases both the size and the "difficulty" of the group 
considerably. (For example, G I H is never abelian unless one of the groups is abelian and the other 
is trivial, whence G\H = GoiGlH = H.) It is useful in general to find reductions between 
these problems that map input groups to output groups that are of similar difficulty, e.g., abelian 
i — > abelian, solvable 1— ► solvable, etc. This would provide a finer classification of the complexities of 
these problems. 

The embedding aspect of the reduction in Proposition 13.31 suggests a stronger question: given 
any function / on GXL n that hides some subgroup generated by (it, ... , u, -u 1-n , 1) for some u (where 
the function is not necessarily the one constructed by the reduction), can one efficiently recover an 
instance of (n, G)-GHSh that maps via the reduction to an instance of Hidden Subgroup over 
G I Z n with the same hidden subgroup? A yes answer would show that Generalized Hidden 
Shift is truly a special case of Hidden Subgroup, and as a corollary would show that these 
instances of Hidden Subgroup over G I Z n for small n (polynomial in the size of elements of G) 
reduces to Hidden Subgroup over GlZ 2 . 
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